Phishing: avoid scams on the internet

What is phishing?

Every year the number of daily phishing attacks multiplies, making it one of the most common scams on the internet. Those who carry out this scam obtain confidential information such as bank passwords or credit card information, but how do they do it?

Phishing is an attempt at stealing one's identity: Cybercriminals pose as a well-known and reputable company, institution, or service to trick you into stealing your private data, access credentials, or banking details. This fraudulent practice is based on social engineering, that is, its success is based on the trust you have in the company or institution that is being impersonated. For this reason, many of these communications use the identity of financial or banking services.

Additionally, phishing is also sometimes used to infect devices with some type of malware (malicious program).

What is the process for stealing data in phishing?

The process can be summarised into these steps:

1.  The cybercriminal selects the brand to be impersonated.
2. Then, after determining what information he wants to obtain from the user, he select the medium through which to spread his false message.
3. He creates a message that is usually worrying and provokes a reaction in the user, usually to click on a link provided or downloading and executing an attached file.
4. He then redirects the victim to a false web page, which is practically the same or very similar to the legitimate one of the impersonated service.
5. The user, thinking that they are on the official site, ends up filling out the different forms that are provided on the malicious website.
6. Finally, the captured data will be stored on some remote server controlled by cybercriminals and subsequently used to carry out fraudulent actions: impersonating someone, committing other crimes on their behalf, hijacking user accounts, stealing money, sending spam, etc.

How can I avoid being a victim of a phishing attack?

Email is the most common means used by cybercriminals to attack you with phishing techniques. Here are some of the steps you can take to prevent phishing and internet scams:

1. Always find out who is sending the emails
   If you do not know the sender or the domain does not match the company or service it claims to be, then you may be facing a case of phishing. For example, if you receive an email on behalf of Santander, and the email domain does not include the bank’s name, it is suspicious. The same applies if the mail that reaches you is using a free mail service such as Gmail, Outlook, Yahoo !, etc.
2. Be suspicious of alarmist subjects
   The subject is usually very flashy or requests some sort of urgent action. Some examples that can help you: "You have a new security message", "Suspicious movements detected", "Deletion of inactive accounts", "You have received a notification", "You have a package waiting", etc.
3. Look at the writing and spelling
   Phishing emails often have poorly constructed or meaningless phrases, words with strange symbols or characters, misspellings, etc. A service with a good reputation will ensure that both the structure and design of the email and its content are correct, since the image transmitted to users is a very important aspect for any reputable service. But beware, cybercriminals are also improving their practices, so if you find a suspicious message that is worded perfectly, make sure you have at least verified the other clues before deeming it to be trustworthy.
4. Look for signs of personalisation
   A phishing message is barely personalised or not at all. Anonymous communications such as "Dear customer", "User notification" or "Dear friend", are indications that should warn you. If a criminal wants to swindle hundreds of thousands of people, it is very difficult for him to know each of their names. So they use generic formulas like the ones mentioned above.
5. Be suspicious when they request your personal or bank details
   Whether they are calls or emails requesting your full electronic signature, it is not common to request these data through such channels due to the risk of fraud and scams.
   In our case, with the application of the SCA regulations for e-commerce, on some occasions we will send a message/notification to your mobile phone with a link that will redirect you to the Bank's identification page. There we will ask you for the access code you use to access your Online Banking or the card PIN, if you do not have a Digital Banking contract. Find out more about this regulation here.
6. Before clicking, check the URL of the link
   The aim of the criminals is for you to click on a link to take you to a fraudulent website, instead of the legitimate page. Therefore, it is important to check that the link is reliable. To do this, you can place the cursor over the button or the link and check the address shown in the bottom left of the browser or your email customer. If what you see is suspicious, don't click!
7. Do not download files without looking at the extension
   If the message you receive asks you to download a file that has more than one extension, something like "filename.doc.zip", or it is a compressed file (.zip) or an executable (.exe ), do not even think about downloading it as it is more than likely that your devices end up infected. In any case, if you trust the source and choose to download the file, always scan it with an antivirus before opening and executing it.